deepflowio / deepflow

eBPF Observability - Distributed Tracing and Profiling
https://deepflow.io
Apache License 2.0
2.91k stars 330 forks source link

[BUG] Issue while installing Deepflow using helm chart on Openshift #7174

Open Rajpratik71 opened 4 months ago

Rajpratik71 commented 4 months ago

Search before asking

DeepFlow Component

Helm Chart

What you expected to happen

Install through helm chart should get success

How to reproduce

helm install deepflow -n deepflow deepflow/deepflow --create-namespace

DeepFlow version

pratikraj@Pratiks-MacBook-Pro ~ % kubectl exec -it -n deepflow deploy/deepflow-server -- deepflow-server -v
Name: deepflow-server community edition
Branch: v6.5
CommitID: aa009e2a56adc6f0afac2dd8f4fbff93e7cab3cd
RevCount: 10641
Compiler: go version go1.21.11 linux/amd64
CompileTime: 2024-07-02 09:20:54
pratikraj@Pratiks-MacBook-Pro ~ % 

DeepFlow agent list

No response

Kubernetes CNI

No response

Operation-System/Kernel version

sh-4.4# 
sh-4.4# awk -F '=' '/PRETTY_NAME/ { print $2 }' /etc/os-release
"Red Hat Enterprise Linux CoreOS 412.86.202403280709-0 (Ootpa)"
sh-4.4# 
sh-4.4# 
sh-4.4# uname -r
4.18.0-372.98.1.el8_6.x86_64
sh-4.4# 

Anything else

Helm install log

pratikraj@Pratiks-MacBook-Pro ~ % helm install deepflow -n deepflow deepflow/deepflow --create-namespace                                                                  
W0703 00:23:31.567756   26830 warnings.go:70] would violate PodSecurity "restricted:v1.24": forbidden AppArmor profile (container.apparmor.security.beta.kubernetes.io/deepflow-agent="unconfined"), host namespaces (hostPID=true), privileged (container "configure-sysctl" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "configure-sysctl", "deepflow-agent" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "configure-sysctl", "deepflow-agent" must set securityContext.capabilities.drop=["ALL"]; container "deepflow-agent" must not include "IPC_LOCK", "NET_ADMIN", "NET_RAW", "SYSLOG", "SYS_ADMIN", "SYS_PTRACE", "SYS_RESOURCE" in securityContext.capabilities.add), restricted volume types (volume "sys-kernel-debug" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "configure-sysctl", "deepflow-agent" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "configure-sysctl" must not set runAsUser=0), seccompProfile (pod or containers "configure-sysctl", "deepflow-agent" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0703 00:23:31.949565   26830 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "mysql" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "mysql" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "mysql" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "mysql" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0703 00:23:31.949816   26830 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "deepflow-app" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "deepflow-app" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "deepflow-app" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "deepflow-app" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0703 00:23:32.302905   26830 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (containers "init-custom-plugins", "init-grafana-ds-dh", "grafana" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "init-custom-plugins", "init-grafana-ds-dh", "grafana" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or containers "init-custom-plugins", "init-grafana-ds-dh", "grafana" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0703 00:23:32.302958   26830 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "stella-agent-ce" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "stella-agent-ce" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "stella-agent-ce" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "stella-agent-ce" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0703 00:23:32.303020   26830 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "deepflow-server" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "deepflow-server" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "deepflow-server" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "deepflow-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0703 00:23:32.629123   26830 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (containers "clickhouse-init", "clickhouse" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "clickhouse-init", "clickhouse" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "clickhouse-init", "clickhouse" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "clickhouse-init", "clickhouse" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
NAME: deepflow
LAST DEPLOYED: Wed Jul  3 00:23:08 2024
NAMESPACE: deepflow
STATUS: deployed
REVISION: 1
NOTES:
██████╗ ███████╗███████╗██████╗ ███████╗██╗      ██████╗ ██╗    ██╗
██╔══██╗██╔════╝██╔════╝██╔══██╗██╔════╝██║     ██╔═══██╗██║    ██║
██║  ██║█████╗  █████╗  ██████╔╝█████╗  ██║     ██║   ██║██║ █╗ ██║
██║  ██║██╔══╝  ██╔══╝  ██╔═══╝ ██╔══╝  ██║     ██║   ██║██║███╗██║
██████╔╝███████╗███████╗██║     ██║     ███████╗╚██████╔╝╚███╔███╔╝
╚═════╝ ╚══════╝╚══════╝╚═╝     ╚═╝     ╚══════╝ ╚═════╝  ╚══╝╚══╝ 

An automated observability platform for cloud-native developers.

# deepflow-agent Port for receiving trace, metrics, and log

deepflow-agent service: deepflow-agent.deepflow
deepflow-agent Host listening port: 38086

# Get the Grafana URL to visit by running these commands in the same shell

NODE_PORT=$(kubectl get --namespace deepflow -o jsonpath="{.spec.ports[0].nodePort}" services deepflow-grafana)
NODE_IP=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}")
echo -e "Grafana URL: http://$NODE_IP:$NODE_PORT  \nGrafana auth: admin:deepflow"
pratikraj@Pratiks-MacBook-Pro ~ % 

Are you willing to submit a PR?

Code of Conduct

1473371932 commented 3 months ago

Hello, It appears that Helm output some warning logs, but it ultimately executed successfully. Could you run kubectl get pods -n deepflow to check the status of each pod in the namespace? from your description, I could not discern the specific issue. However, when deploying DeepFlow in OpenShift, additional configurations need to be added to the agent-group-config using deepflow-ctl. For specific configuration details, please refer to this document. For guidance on configuring the agent-group with deepflow-ctl, refer to this document. If you do not have the deepflow-ctl command, please refer to this document.

Rajpratik71 commented 3 months ago

looks like pods are failing due to "SCC" restriction of OpenShift.

Similar "SCC" needs to be created and configured SCC for eBPF